Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
“Under chapter one, clause two, sub-section F, sir, a child is defined as an individual who has not completed the age of 18, sir, but we are giving permission for a person who is above 14 to work,” said Lavu Sri Krishna Devarayalu of the YSR Congress Party addressing the speaker during the Lok Sabha discussion on Digital Personal Data Protection Bill (DPDP Bill), 2023. However, despite his comment and those of many other experts (about the previous versions of the bill), the DPDP Bill was passed in the Lok Sabha with no changes to the definition of the word “child”.
Bagmishka Puhan, associate partner at TMT Law Practice, says, “The determination of a child under a data protection framework is still [emphasis hers] inconsistent with globally prevalent practices, and the nature of digital services, on offer, and targeted at children.” By “still” she means that while there have been revisions to other sections of the personal data protection bill, (change from “deemed consent” in the previous versions to “legitimate uses”), which is line with international standards, the same isn’t true for the definition of a child.
But the definition of the word child isn’t the only issue present with the way the bill looks at children’s data privacy online. Here are some of the other major concerns.
Lack of a definition of the word “harm”:
The current version of the bill doesn’t mention the word harm. Instead, it says that companies must not process any children’s data that is likely to have “any detrimental effect on the well-being of a child”. This is drastically different from previous versions of the bill where specific harms were listed such as — bodily or mental injury, loss or theft of identity, and discriminatory treatment.
While on paper, it seems better to have no definition of the word so that the government has greater scope to determine what does and doesn’t constitute a detrimental effect; in practice, it limits a child’s ability to get their concerns heard. “Even if some child goes to the DPB [data protection board] and says that my rights were violated, the entire process of proving that it was to my detriment [would be challenging], because the phrase, to the detriment of the wellbeing child, is also not defined,” said Nikhil Iyer of the Quantum Hub, when asked about the implications of the word “harm” being removed from the bill. He explained that proving detrimental effects would be even harder in situations where the effect being caused is “intangible,” like a negative impact on a child’s mental health.
Article continues below ⬇, you might also want to read:
- How does India’s Data Protection Law protect children’s data?
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2023
- Fifteen Major Concerns With India’s Digital Personal Data Protection Bill, 2023
- India’s Data Protection Bill Tabled In The Lok Sabha: MPs Voice Concern
The issue with requiring “verifiable parental consent”:
Puhan explained that the requirement of collecting verifiable parental consent puts a heavy compliance burden on companies. Furthermore, there is a lack of clarity on how this consent will be taken. “The absence of clarity with respect to what constitutes as ‘verifiable parental consent’”, she said, “could lead to [an] extensive collection of Aadhaar and related information,” and create privacy implications.
Meanwhile, Iyer said that the bill considers parental consent as the end-all solution, which will ensure children’s safety online. He argued that assuming that consent is given, “the child could still be exposed to harmful content. They could try to look up hateful content, hate speech, or something that is illegal,” things that are not safe for their mental health. “Where does platform responsibility feature in this entire picture?”
Iyer further pointed out that when the issue of verifiable parental consent is looked at alongside the provision that forbids companies from monitoring the behaviour of children, it could effectively limit their ability to stop a child from performing actions that go against their well-being. “This blanket prohibition, plus this kind of over-reliance on parental consent, does not answer the question of [whether it] will it keep kids safe on the internet. That question is still open.”
Blacklisting vs whitelisting approaches to protecting children online:
Another aspect of the bill that is worth looking into is that if the central government believes that certain online platforms are processing data in a “verifiably safe manner,” it can exempt them from seeking parental consent and also allow them to track children in a certain age group. This process of whitelisting raises several questions. “There is a very clear issue of bureaucratic red-tapism that is going to come in – what if a platform makes some kind of incremental change for which they are forced to once again approach the ministry for that certification?” Iyer asked. He pondered over whether it would even be possible for startups to keep going to the ministry to seek certification again and again.
“It is likely to affect innovation in the long run,” he said, adding, “Even if a platform is made only for children, they have no incentive to keep improving it because they can always say we are legally compliant because we have followed this KYC [know your customer] process the government wants us to do.” He said that instead of asking the platforms to not process data that is detrimental to the well-being of a child, the bill should have asked them to meet the best interests of the child. This would have given companies an incentive to create better platforms.
Iyer said that his organization, the Quantum Hub urges for a free internet by default where all platforms would be allowed to process children’s data, ” with restrictions on whatever the best standards for the child are which is something that age-appropriate design codes in other jurisdictions also follow.”
Note: The story was updated to correct a typographical error.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!